Month: July 2005

Another article on loss of confidence in Internet identity – this time by Christina Kolerich at Newsfactor Networks. She says, in part:

According to a recent study by the research group The Conference Board, growing security concerns are causing Internet users to alter their online behavior. The study found that more than 13 percent of all Internet users say they or members of their households have been victims of identity theft.

According to the study, 41 percent of consumers are purchasing less merchandise online. A major reason for this decline is the fear that financial institutions are not protecting consumer information adequately.

“Trust has been broken on more than one level,” said Lynn Franco, director of The Conference Board's Consumer Research Center. “It's not only the transaction; it is the storing and transporting of personal information that is making people afraid to shop online.”

The study revealed that while the number of households shopping online is not decreasing, the number of purchases per household is decreasing. In order for online retailers to recapture the momentum, they need to address these security issues and regain consumer trust, Franco said.

The study also revealed that 54 percent of online consumers say they are more concerned today about the security of their personal information on the Internet than they were a year ago. That concern is making them more proactive in their computing behavior.

“Nearly 70 percent of online shoppers have security software on their PCs. Consumers are very concerned about any type of financial transaction, purchasing or banking,” said Franco.

Christina's article has admirable balance, and she goes on to point out:

Despite these concerns, online retailing continues to grow in double digits, and online retailers are making profits. According to a recent study conducted by Forrester, online sales in 2004 rose 23.8 percent to over $141 billion. The report predicts that online retail sales will hit $172 billion by the end of 2005.

She also quotes Gartner's Litan as saying:

“One percent to 3 percent is not that big as e-commerce is growing on a 10-to-20-percent forecast,” said Litan.

The growth of e-Commerce and the growth of internet identity fraud are two conflicting and opposed dynamics. But it's wrong to think they are unconnected. The growth in e-commerce will inevitably fuel the growth of internet fraud, which studies estimate is already growing at 20 percent per month (not per year…)

Unchecked, the intertwining of these tendencies lead to something we should think of as an identity meltdown. I don't think it will then be possible to just “switch off the set” and return to normalcy. We will need to go through a reconstruction period, in which a safe and reliable infrastructure is put in place.

Think forward from today. How will we know we have passed from the period of identity breaches into identity meltdown? If we start the reconstruction today, can we avert such a meltdown? And if so, how much time do we have?

Seems like the Seven Laws were slashdotted over the weekend. I guess I could've guessed I was in for something when I received a very friendly note that included this post script: “P.S. I hope you have A LOT of bandwidth :)”. But I headed off to a remote lake on the precambrian shield anyway. Meanwhile, a whole lot of identity talk was going to take place all Saturday night and Sunday morning.

As you would expect, there were people involved representing the entire spectrum of ideas and backgrounds with respect to identity thinking. Some seemed quite familiar with the discussion we've been having here. Some were new to the laws but took the time to read the whitepaper before going nuts. Others bounced off the laws in point form – it being Saturday night and all – reeling off in all possible directions. Then there were a few who took any sign that people at Microsoft were thinking about identity as being a bad omen indeed. All in all, I've really found the discussion interesting.

Unfortunately my friends at MSDN had improved the web services area of the site sufficiently that my link to the browser version of the Laws of Identity pointed to… outer space. Truth is, it's my fault. I knew in my bones that I was taking a chance when I set up that link. I've now got my own version located here – and will stop using external links to important documents…

If you don't have time to read a few hundred entries… here's a medley:

Then why are you posting as Atlantis-Rising and not as Anonymous Coward?

Identity and anonymity are not mutually exclusive. Slashdot has identified you as Atlantis-Rising. They need to identify you in order to provide you with your karma bonus, your custom homepage, and so on.

So long as an identity system is not required to link an identity to a particular real-world person, or with other identities shared by that particular person, it can support anonymity just fine.

I really liked that. Let's call it pithy. And it is exactly what I have intended through the laws. As a technical person it seems obvious that the null set is part of the set of identity sets. Right?

But talking later with my excellent friend and partner Adele Freedman, she pointed out in an irritated sort of way that in the non-digital world, identity and anonymity reallyare exclusive. Anonymity is “the quality or state of being unknown or unacknowledged.” But identity is, “the collective aspect of the set of characteristics by which a thing is definitively recognizable or known.”

So my takeaway is that we need to improve the way we talk about this. We want it to be crystal clear that one of the options an identity metasystem should support is for digital subjects to be anonymous. This, of course, does not imply that sites need to grant access to anonymous parties.

While a lot of discussion on slashdot involved a strong defense of the right to be anonymous, there were a number of voices echoing that of Anonymous Brave Guy:

You're entitled to your tinfoil-wrapped opinion, of course, but as I always point out in these discussions, there would be a lot of advantages to having some form of confirmed identity connected with Internet-based activity, even if it's generally concealed or only anonymously verifiable except to suitable authorities.

If everything could ultimately be tracked back to you eventually, things like spamming, virus distribution, defamation, on-line fraud, and numerous other harmful behaviours would be dramatically reduced. You could improve a lot of people's lives here.

Of course, you also have to identify “suitable authorities” who should get the right to access this information. That might be relatively easy in the West — we have court systems that most people would probably trust to issue such orders if and when necessary — but the Internet is international and what's free speech to you might be illegal anti-government propaganda in certain other places.

Personally, I think most of the supposed advantages of anonymity on the Internet are illusory anyway. Does anyone really believe that all these people in China are happily speaking freely on the Internet as it stands today anyway?

Hence, on balance, a reliable identity system gets my conditional agreement, subject to the devil in the details of course.

This view takes the introduction of identity as meaning the introduction of mandatory flesh-and-blood identification. What a huge leap – and yet a common one! I think this happens because many people are as fed up with “spamming, virus distribution, defamation, on-line fraud, and numerous other harmful behaviours” as Anonymous Brave Guy, and don't have the benefit of the kind of ongoing discussion which is necessary to work through all the potential outcomes of various proposed solutions.

The important thing is to move from draconian solutions to those in which different internet sites are able to decide what kind and level of identification is appropriate to their mission. It is unreasonable to think there is one answer for the entire Internet.

Some sites work fine with anonymous identities. Others may work better with pseudonomous identities – where flesh-and-blood identity is suppressed but can be used by those running the site to block those who break its code of behavior from reappearing under a new pseudonym. And so on ad infinitum, up to sites that require a real-world identity because they facilitate public real-world transactions.

Naturally the objections to Anonymous Brave Guy were many. For example kaens spoke for many about some of the ominous possibilities of Brave Guy's thinking when he said:

I honestly would not trust anybody with a position of political power to have the capability of tracking back everyone's online activities – there is too much of a chance that it would eventually get used for reducing more than just the harmful activities, it could get used for reducing the amount of people in the public that have dissenting opinons.

Also, even if the capability could be introduced, it would be cracked/spoofed/worked around somehow eventually, unless there was some sort of way to prevent computers from communicating with each other in the ways that they currently do, and some sort of way to prevent people from creating their own networks.

Subject to the devil in details, agreed. The thing is, who do you think would have control over what the details are? As it stands not you or I.

Planesdragon swooped in to argue that identification could therefore be optional (giving the user a smidgeon of control but not rejecting the draconian internet-wide edict of Brave Guy):

The easy answer is “make it optional.” Let folk stay anonymous if they want–you just don't need to give them anything.

Try buying something online without using ANYTHING that links back to you. After you do that, kindly tell me how you managed to violate the laws of physics so.

Anonymous Coward, who is of course a collective persona, counters:

If the wrong person found out the wrong thing about me and people like me, I'd be worried that I and the others who share my opionions might be made to “somehow go away”.

Never underestimate the danger of corrupted power.

Someone like him (a doppelganger in the sense of being another Anonymous Coward) then added:

I agree completely. As many seem to be too ignorant to see the case in an abstract argument – to those who are still not seeing it:

Imagine a world where your government (and your employer, which, through corruption and alot of money has access to the gov's data) has complete and correlated data about, among other things:- your medical records or conditions (maybe you're a former drug drug addict?)- sexual preferences (e.g. gay/lesbian, SM/fetishes in an intolerant community?)- relationships and network of friends (detailed arguments with your girlfriend – from email monitoring?)- your exact [political] opinion on every topic

Now, don't you see the potential some not-entirely-friendly entity has to squash you completely?

Of course many would say that Anonymous Coward is actually describing what is happening today… It is not action on the identity front that will lead to further problems, but lack of it.

An identity metasystem supporting directional (e.g. pairwise) identities (as proposed in law 4), and the use of strong cryptography and better design, is the only way to move us towards segregation of profile information, and cleaning up the data repositories which today are identity catastrophies-waiting-to-happen.

I would argue that both sides in the part of the slashdot discussion quoted above would be served by reading more about the laws and thinking about the problem at the more concrete level of how individual sites (and even networks of sites) can benefit from use of identity and pseudonymity, rather than leaping towards draconian conclusions and proposals.

More later on some of the ideas coming from my friends and new acquaintances at slashdot…

Personalizing people's interaction with computer systems entails gathering considerable amounts of data about them. As numerous recent surveys have consistently demonstrated, computer users are very concerned about their privacy. Moreover, the collection of personal data is also subject to legal regulations in many countries and states. Such regulations impact a number of frequently employed personalization methods. This workshop will explore the potential of research on “privacy-enhanced personalization,” which aims at reconciling the goals and methods of user modeling and personalization with privacy constraints imposed by individual preferences, conventions and laws.

Caspar “recommended” Privacy, Shilling, and The Value of Information in Recommender Systems by Shyong K Lam and John Riedl (page 85).

I don't know if I agree with him, because as I was trying to skip forward to page 85, I fell deeply into Perceived Control: Scales for Privacy in Ubiquitous Computing by Sarah Spiekermann on page 3. You don't see enough empirical verification – so I find this kind of study fascinating. And there are a lot of other really good papers here.

Seems like an amazing 10,000 people have now looked at Scoble's Channel 9 Interview with me on Identity. I say amazing because we at identityblog.com pride ourselves on being, after all, the hair on the end of the long long tail…

In comments to this piece about the interview, Alex Krupp really came down hard on Greg Hughes assertion that he is trying “…to protect people who do critical personal transactions on the Internet, and to catch the bad guys that try to steal and use your personal information.” He says,

This is the exact reason why bank security is so bad, because instead of focusing on securing the transaction they are focusing on securing the person who makes the transaction, which is impossible.

All you need to know is that the person who put the money in is taking it out for savings, and their name/company for checking. If they are worried about personal information being stolen then the battle is already lost, because they shouldn't need personal information to begin with.

It's true that once everyone has nice strong keys associated with their accounts, a lot of things get a lot easier. And I look to InfoCards as a way to finally get “nice strong keys” into the hands of customers.

But I don't think this makes the problem of protection of personal information go away. Bank databases contain vast amounts of sensitive personal information already. In fact I look at all of my banking data as sensitive personal data. As the banks make services more accessible through the Internet, I think it is both commendable and necessary for people like Greg to think very hard about how to protect the associated personal information – and isolate the people who are going after it.

Anyway, later, Alex comes back to add:

I watched the entire video, very interesting stuff. I will have to check out Solove's book.

I think your example of going into starbucks and having the option to broadcast pieces of identity is very good. Personally though, I think the cellphone is a poor medium for this. Cell batteries drain fast because of their phone use, it is large and bulky, and it is very insecure because it has to be able to take calls, install games and ringtones, browse the web, use bluetooth, etc. If you put your identity on a normal cellphone it would be a suboptimal experience, especially if hacked.

Instead imagine this: a ‘presence pen’ that gives you a digital identity in the physical world. It has the form factor of a pen and can broadcast selected bits of identity to who you tell it. You set these options on your computer before you leave your house. It can fit in a shirt pocket, and the battery lasts for 2+ weeks since it only needs to use bluetooth. You can't message friends on it, but you can toggle through preset away messages and send presence pokes to your friends. Sell it for 50 bucks, and for an extra 25 you can get built in GPS. A one line LCD displays all necessary data and you can toggle everything through two or three buttons.

I had a quiet giggle at Robert's [Scobles…] totally irony-free comment, ‘I want to be able to store my personal details on Windows where I know it's secure’

Overall I enjoyed the interview (and yes, I did watch all of it).

I had some thoughts about transience of identity information as well – it's all well and good if we have strong personal identity providers, but what if we want to move? Does the old provider retain data (on backup tapes, in archives, by legislative requirement) or should we be claiming the right not only to strong personal identity, but strong control over who is allowed to store, record and *keep* our personal data?

Personally I'd be eminently happy if my own personal identity provider's systems crashed and they couldn't restore my information – it means I still have control over what is stored about me…

The same goes for being able to choose my own personal identity provider, and I'd like to be able to share a secret with organisations where we both trust that a particular provider knows who I am, so I can authenticate myself with my chosen identity provider, and the company I'm dealing with takes it on trust that I am who I am, because my identity provider asserts I am who I am, rather than me doing it directly.

Which lets me do business without giving over any personal information at all. I posted these thoughts in slightly expanded form here.

I'm sitting on the edge of my seat, waiting to see the cool things people are going to build into InfoCards.

Thursday, July 28th doors at 6, program at 7CIIS, Namaste Hall,3rd Floor1453 Mission St. San Francisco (2 blocks from Civic Center BART)

In addition to Identity Woman Kaliya, you will meet:

Light Weight Identity – LIDJohannes ErnstNetMesh Inc. .Light-Weight Identity(tm)– LID(tm)– a new and very simple digital identity protocol that puts users in control of their own digital identities, without reliance on a centralized party and without approval from an “identity provider”.

OpenIDBrad FitzpatrickSix Apart, Ltd. OpenID, a decentralized identity system, but one that’s actually decentralized and doesn’t entirely crumble if one company turns evil or goes out of business. An OpenID identity is just a URL.

Sun Single Sign OnPat Patterson Sun Microsystems Sun is announcing the intention to open source web single sign-on. This project, called Open Web Single Sign-On, or OpenSSO, gives developers access to the source code to these basic identity services allows them to focus on innovations that solve more urgent problems, such as securely connecting partner networks, ensuring user privacy, and proving compliance.

Opinity, IncTed Cho Opinity provides open reputation for end users. It is a young start up offering free online reputation management related services so that individuals can authenticate, aggregate, and mobilize their website (eBay, Amazon, etc.) reputations. Opinity also offers reputation management tools so that individuals can monitor, build, and work to enhance their own reputation going forward. Individuals can also review other individuals at the Opinity website.

It's cool to see the posting by Greg Hughes at Lockergnome, who one can tell has paid his dues as a security professional, about my Channel 9 video. He actually seems to have gotten through all 55 minutes.

Over on Microsoft’s Channel 9, Scoble’s posted a new video of Kim Cameron, who has a weblog called the Identity Blog. He discusses identity and trust, and what it will take to build a single-experience trusted system for common identification. It’s an interesting conversation. I’ve read his weblog for a while now, so it’s good to see him speak about this.

“Identity is like the Hotel California of Technology – you can come but you can never leave. We have a lot of work to do.”

This is a topic that is near and dear to my professional heart. Identity protection and theft is something I deal with every day. It's complicated. It's not easy. It's a goose chase at times. There are almost no standards. But it's of great importance right now. The people I manage and work with are super-talented and are building a couple terrific pieces of security software right now, software intended to protect people who do critical personal transactions on the Internet, and to catch the bad guys that try to steal and use your personal information.

Where I work, we are charged with protecting the identities and assets of people who are doing critical financial transactions with their banks and credit unions. To us, this stuff matters – it matters a lot. And it should matter to anyone that's doing business on the ‘net and everyone who writes software used to do business on the ‘Net.

“It's impossible to be too paranoid about this… We have to be paranoid.”

The video is about 55 minutes, and it's worth the time for people who are concerned (or who should be concerned) about the topic. You'll need to get about two-thirds of the way through it til you get to Cameron's “Laws of Identity,” which are akin to pure gold in their simplicity. Go watch.

Isn't it great to think of people like Greg building systems like the one he describes in accordance with the Laws of Identity?

For starters — sorry Dick — I think it is insane to go into the hardware business. Who wants to buy a Sxip-branded rack mount?

Marc Canter, a big supporter of SXIP technology, responded using the real-world example of his friends at Marqui and the problems they had with their Salesforce application.

With all their bells and whistles, Salesforce doesn't provide secure reliable provisioning and access control. So if someone leaves your company, they can still get onto the system. Or if you've turned off their account, it's still really there, or the system just ain't secure enough! Whatever the problem is – it can be fatal.

So Sxip figured that their system would a) be a great helper app for Salesforce while b) showing off the power of Sxip.

As a Sxip developer and supporter this is really imporant.

At the same time – they probably also found out that the cost of incorproating identity security into a system is HUGE and it's STILL not that reliable. So why not offer the whole security layer as a hosted service – or even better – a box.

Spend all your time on mapping the two ID systems together – and rest assured that no matter what – the Sxip side of the equation is secure and stable.

Brilliant! – if I say so myself.

Back at the Burton blog, Craig is far from convinced:

He [Marc…] basically says that Sxip's support of Salesforce.com is best served by a hardware appliance. He actually calls it “brilliant.”

Poppycock.

I can't imagine how a customer is best served by a software identity infrastructure vendor (Sxip) by being a supplier of hardware. The only way for Sxip to make it work is to charge the customer for more than it is worth. All Sxip is doing is loading software to someone elses box with their name on it. What customer wants to pay Sxip employees for loading software? It simply makes no sense. Dick, rethink this.

What Sxip should be providing is a solution that will simply and easily load and run on anybodys box. When it comes to commodities — rack mount boxes — customer freedom of choice rules.

I ran into a number of people after the “User-centric Identity Day” at Catalyst who were confused by the hardware announcement and ended up thinking SXIP requires specialized hardware.

So let's clear that up at least for everyone who reads this blog: the Sxip Access appliance is only one Sxip option among several. You can implement Sxip in software-only form. Or you can have Sxip Networks host it for you. I think the experimentation with different delivery mechanisms stems from the fact that Dick Hardt cares and thinks about the “long tail” of identity – how sites with few IT resources can become identity enabled.

By the way, for those who don't know Craig Burton's background, he is the man who convinced Novell to stop tying their network operating system to a bizarre, proprietary network appliance known as a Novell server. And indeed, cutting the ties with prioprietary hardware – previously the essence of the network product – opened a whole new world of opportunities for Novell. So in the appliance market, as in many others, Craig's is a voice to be reckoned with.

I'm just back from Catalyst, the yearly Burton Group Conference with a strong Identity theme. My hallway conversations left me with the impression that everyone who attended the Identity and Privacy strategies track thought it was a great success this year. I popped in to see what Anne Thomas Manes was up to in the Application Platform Strategies track as well. I think the Burton Group's work on integrating the worlds of application and identity strategy is tremendously useful and important. Hats off to all involved! Burton is doing a European conference in the fall, as described here.

Meanwhile, Phil Windley was blogging up a storm, and becoming more drole by the minute. How do you like this little report:

Scott Blackmer, speaking at Catalyst, just referred to something he saw on the Net about how it’s amazing that we can track the calves of a cow born in Canada right to their pens in Washington state, but we can’t track 11 million illegal aliens. The suggestion is that we give each illegal alien a cow.

Of course I'm an alien, so I don't think this is very funny, eh? But I'll take my cow anyway.

Jarrod Jasper of GM just told the story about an employee phone that was not deprovision when the employee left. The former employee decided to run a 900 number service through the phone. That one phone cost GM $50,000 per month—for 18 months—before it was shut down. Whoa!

Failure of the weakest link mustn’t lead to catastrophe. For example, smart card deployments are sufficient protection against social engineering and inside attacks. Encrypting the channel doesn’t stop dumpster diving.

Don’t put the role before the start. Role engineering is important, but it doesn’t drive the project.

Not every identity nail requires the technology hammer. Technology may be fine, but without governance, it will fail.

Use of a system invites abuse of the system. Test the architecture with attack vectors.

Identifying things doesn’t make the more secure. Identification can improve security, but security isn’t an inevitable outcome. Over-identification has repercussions.

Identity isn’t about the individual. It’s about the relationship. IdM encompasses the services community’s need for organization.

There are a lot more than seven flaws.

Finally, Phil covered the “Identity Gang” meeting that preceded the conference itself. It's a good description of what went on, and I agree with his conclusion that we need to move on to something a bit more structured.

I spent yesterday afternoon in an identity BOF meeting in San Diego. (See pictures at Kaliya’s Flickr site.) As you might expect, there’s plenty of people with an interest in identity systems at Burton Group’s Catalyst conference and so we took the opportunity to have a face-to-face discussion with about a dozen people who care about identity metasystems.

The topics today were far ranging and difficult to summarize, but there were some interesting issues.

There seems to be big disagreement (surprise) around whether HTTP, SMTP, and the like are completely broken from an identity standpoint or whether they can be salvaged. If not, then Microsoft’s move to SOAP-based protocols for the identity metasystem is a necessary first step for any transactions where identity is important.

To put this in perspective, banks and other financial institutions have pretty much been forced to abandon email as a means of communicating with their customers because of phishing. This is a problem even with things like SSL that allows, but doesn’t require that, users check the integrity of the sites that they visit.

Moving to different protocols requires different clients, or at least changes to existing clients to understand the new infrastructure. Of course, InfoCards (Microsoft’s proposed digital identity system) includes such a client, buried deep in the OS.

Kim Cameron believes that we can’t ask humans to manage multiple systems at the experiential level as well as manage the trust decisions, and everything else we need from them. This is a little bit of a “one client to rule them all” strategy, but there’s some sense to it. The browser is a great example of how a UI standard provides a common UI experience (at least to some degree) regardless of the vendor.

Another issue I found interesting had to do with auditing and transparency. One critical requirement for enterprise identity systems is auditing in order to ensure compliance, etc. For an Internet wide infrastructure there are other auditing requirement. For example, the user may want to disable auditing for privacy reasons. Of course, you may not be obligated to provide service without auditing enabled. The policy negotiation requirements in such a system boggle the mind.

Related to that is the need to provide human readable equivalents of machine readable tokens and assertions and to ensure that they are confluent. The microformats discussion that’s caught my eye lately seems suited to that requirement. I wonder if microformats can meet other requirements as well (and what they might be).

Fourth party auditing of actions provides checks and balances to protect entities from abuses by authenticating gatekeepers or asserting identifiers. Many times these fourth parties would be courts operating in widely varying jurisdictions. The metasystem can’t enforce these actions, only provide for them with proper transparency and auditing.

Another point of contention seems to be the very name “identity metasystem” itself. I think it was coined by Microsoft innocently enough to describe an identity system that ties other identity systems together. I think some would prefer it was called a “network” or something else. The work “system” implies there’s a there there, but in reality, it’s more about protocols and interop.

I think that we need to get this group, along with others together for a more formal discussion where we can get to the heart of what we can all agree on, find out where we really disagree (that’s not clear), and use that as an underpinning to understanding proposals. I’d like to see the various proposals laid out with philosophical beliefs, understand how those beliefs influence architectural choices, and then dive into whether we can agree that specific architectures support those various philosophies. I’m thinking of organizing a workshop in October (in the slot Digital ID World used to use) to do just that.

Today WS-SecurityPolicy, which is an important specification needed to build components that support InfoCards, was published here.

That means within the next couple of weeks we can release a version of The InfoCard Implementors’ Guide.

The Implementors’ guide will show the exact parts of WS-SecurityPolicy, WS-Trust and so on that will be used by the Windows InfoCard Selector (working name), and explain how all the knobs and levers work in the context of the proposed multi-centered identity metasystem that includes services and components running on other platforms and operating systems.

The guide will contain wire traces. My dream is that my team at Microsoft would work with other teams who are developing compatible systems so the InfoCard Implementors’ Guide becomes the clearest document of its type ever produced…

It will be interesting to see how far we still need to go in this regard!

Gee I love that name. I mean the Symposium On Usable Privacy and Security (SOUPS).

Last time I mentioned SOUPS (my new Sixth Law buddies) I used an unofficial link which later broke, but this paper, and the SOUPS outfit in general, is so interesting I want to bring it up again so anyone discouraged last time tries again. Meanwhile we got this invitation from Lorrie Cranor:

This paper was presented at SOUPS 2005. See here last week. We hope to be able to announce details of SOUPS 2006 soon… stay tuned… we hope some of you interested in the human issues of identity metasystems will participate.